How Guccifer 2.0 Got 'Punk'd' by a Security Researcher

Security expert and former Illinois state senate candidate John Bambenek details his two months of online interaction with the 'unsupervised cutout' who shared with him more stolen DCCC documents.

[Updated at 2:50pmET with link to Bambenek's blog post on the research]

KASPERSKY SECURITY ANALYST SUMMIT 2018 – Cancun, Mexico – Veteran security researcher John Bambenek purposely broke one of the first rules of OPSEC when he decided to reach out to Guccifer 2.0 in order to gather intel on the 2016 presidential campaign hacks: never expose your true identity to the adversary.

For a two month period in late 2016 - not long after the infamous Guccifer 2.0 online persona first appeared online and began leaking data to the media and via Twitter from stolen documents from the Russian hacks of the Democratic National Committee (DNC) and Democratic Congressional Campaign Committee (DCCC) - Bambenek reached out to Guccifer 2.0 via a Twitter direct message (DM), using his real name and actual party affiliation as an Illinois Republican.

"I didn't think it would work," says Bambenek, who contacted the mysterious online persona with the premise of requesting access to other stolen DCCC documents Guccifer 2.0 had in his possession. Bambenek at the time was working for Fidelis Cybersecurity and investigating the Russian hacks of the DNC and the DCCC, and had hoped to gather more intelligence and insight on the Russian state hacking and election influence operation via interactions with Guccifer 2.0. He is also a former Illinois state senate candidate and currently serves on the state's board of higher education as well as its community college board.

Using his real name was a calculated risk that Bambenek knew at worst could halt his communications with Guccifer 2.0 if the Kremlin were to discover that he was a security researcher, but at best the ruse would provide him quicker online access to Guccifer 2.0. Surprisingly, it apparently took Guccifer 2.0 nearly two months to realize he had been duped even though Bambenek's job information was included in his Twitter profile, according to the researcher.

Whether Guccifer 2.0 was truly fooled or playing along with the ruse remains unclear, but Bambenek observed that he mostly appeared to be eager to share with and show off the stolen data he requested. "It would be odd that he played dumb that long, but deception is the primary tool in the intel tool belt," Bambenek notes.

From Aug. 12 to mid-Oct. 2016, Guccifer 2.0 fed Bambenek stolen DCCC documents that included background on the 17th District and 8th District races in Illinois, call logs from the DCCC chair, "path to victory" documents, and other data points about various races in the state. One such stolen file was a call sheet addressed to then vice-president Joe Biden from the DCCC chair about contacting a possible Democratic candidate for the Illinois 10th District race. Bambenek in turn handed each message and document he obtained to the FBI.

But it was obvious to Bambenek that Guccifer 2.0 didn't understand or have any knowledge of the relevance of the stolen data, which included unremarkable documents on unopposed primaries, for example. "He never had anything overly useful," he says. "They probably had some stuff and didn't know how to make hay with it."

Guccifer 2.0 in online blog posts and leaks during the campaign took credit for the DNC hack and denied any link to Russia. In an interview with Motherboard in June of 2016, Guccifer claimed to be a hacker from Romania who had exploited a security flaw in a software-as-a-service provider platform that the DNC uses that ultimately gave him access to its servers. Security experts at the time, including Fidelis and CrowdStrike, had identified Russian nation-state groups Cozy Bear and Fancy Bear as the attackers.

No 'Adult Supervision'

In his initial DM to Guccifer on Aug. 12 of last year, Bambenek, said: "I am interested in any other docs you may have" and, noting that he was a "Republican operative," asked for "emails that can affect an election, well, they'd be used for maximum impact."

Bambanek, now vice president of security research at ThreatSTOP, says his interactions with Guccifer 2.0 over Twitter DMs and email revealed that this was a low-level operative not closely supervised by the Russian government. "He was an unsophisticated cutout without adult supervision and any media savvy," he says. Guccifer 2.0's main goal was to leak to media and Republican officials.

"If we were to pick him up at the airport, we would not be excited about the intel we would get" from him, Bambenek says.

Bambenek couldn't determine definitively just who Guccifer 2.0 was, nor if the online persona was actually multiple people posing as one individual. He lacked insight and knowledge of the content of the DCCC documents and never actually provided the leaks in any "narrative form" indicating their usefulness: it was up to researchers and reporters to connect any dots, Bambenek observed.

Most likely, Bambenek says, Guccifer 2.0 is a young person (or persons) who doesn't speak fluent English, based on some linguistic clues he culled. "It looked like the same person [the whole time], but I don't know if I can make a strong conclusion one way or the other," he says, adding that Guccifer 2.0's errors in the verb "to be" are indicative of a non-native speaker. He was not able to determine a physical location for Guccifer 2.0, but believes he operated on behalf of Russian state actors.

Guccifer 2.0 was basically given the documents to dump "and go forth and troll," he says.

But Guccifer 2.0 did remain well-masked during Bambenek's interactions with him. He used Proton email, a privacy-concious email protocol, for example. "One of the things we were doing as researchers was giving him real-time feedback on his tradecraft mistakes ... then he stopped making metadata mistakes" in his document dumps, Bambenek says.

On Oct. 4, 2016, Guccifer 2.0 DM'ed Bambenek with a message that indicated he was on to the ruse: "r ur company gonna make a story about me?"

"He had realized I was playing him," says Bambenek.

Guccifer 2.0 for the most part appeared to be under pressure to generate online controversy and news articles about the dumped documents. At one point, Bambenek asked if he had any Democratic Governors Association documents or documents on Democratic senators. "Either he didn't take the bait, or he didn't have it," he says.

"For the most part, the influence operation by the Russians was more lucky than smart. They had a lot of information that they didn't know how to package or what to do with," he says. "My takeaway is that [in] 2016 they were not fully invested. They threw out cutouts and told them to go and have fun."

Bambenek in a presentation here today will present takeaways from his interactions with Guccifer 2.0.

He expects Russia to employ more Guccifer 2.0-type activity in this year's and the 2019 campaigns. "This was about undermining institutions and getting us to war with ourselves as a country. And it was radically successful."

Meanwhile, Bambenek reached out to Guccifer 2.0 via email to give him (or them) a heads up about today's talk at SAS. "Just to see if he'd click a link and show signs of life and to see if he's paying attention," Bambenek says. As of this posting, no response from Guccifer 2.0.

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio